1.4 Source Code Analysis
1.4.1 SEARCH
Endpoints & URL-matching patterns
Files & their permissions
Database & realms
User
Logs
Content
Keystore
1.4.2 OPEN SOURCE FILES
1.4.3 INFO
INTERESTING CLASSES
INTERESTING FUNCTIONS
1.4.4 THINGS TO REPORT
Cleartext credentials (includes base64 encoded or weak encrypted ones)
Credentials cracked (brute-force, guessing, decrypted with stored cryptographic-key, a.s.o...)
File permission MODE_WORLD_READABLE / MODE_WORLD_WRITEABLE (other apps/users are able to read/write)
If http is in use (no SSL)
Anything that shouldn't be there (debug info, comments with info disclosure, ...)
Last updated
Was this helpful?